chore(deps): update dependency semgrep to ~=1.78.0

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
semgrep	~=1.76.0 -> ~=1.78.0

---

Release Notes

returntocorp/semgrep (semgrep)

v1.78.0

Compare Source

Added

• Matching of fully qualified type names in the metavariable-type operator has
  been improved. For example:

  from a.b import C
  
  x = C()
  

  The type of x will match both a.b.C and C.

    - pattern: $X = $Y()
    - metavariable-type:
        metavariable: $X
        types:
          - a.b.C  # or C
  ``` (code-7269)
  

Fixed

• Symbolic propagation now works on decorator functions, for example:

  x = foo
  @​x() # this is now matched by pattern `@foo()`
  def test():
    pass (code-6634)
  

• Fixed an issue where Python functions with annotations ending in endpoint,
  route, get, patch, post, put, delete, before_request or
  after_request (i.e., ones we associate with Flask) were incorrectly analyzed
  with the Code product in addition to the Secrets product when present in a file
  being ignored for Code analysis but included for Secrets. (scrt-609)

v1.77.0

Compare Source

Added

• Semgrep will now report the id of the organization associated with logged in users when reporting metrics in the language server (cdx-508)

• Pro: taint-mode: Improved index-sensitive taint tracking for tuple/list (un)packing.

  Example 1:

   def foo():
       return ("ok", taint)
  
   def test():
        x, y = foo()
        sink(x)  # nothing, no FP
        sink(y)  # finding
  

  Example 2:

   def foo(t):
        (x, y) = t
        sink(x)  # nothing, no FP
        sink(y)  # finding
  
   def test():
        foo(("ok", taint)) (code-6935)
  

• Adds traces to help debug the performance of tainting. To send the traces added in the PR, pass
  --trace and also set the environment variable SEMGREP_TRACE_LEVEL=trace. To send them to a
  local endpoint instead of our default endpoint, use --trace-endpoint. (saf-1100)

Fixed

• Fixed a bug in the generation of the control-flow graph for try statements that
  could e.g. cause taint to report false positives:

  def test():
      data = taint
      try:
  

Semgrep assumes that clean could raise an exception, but

even if it does, the tainted data will never reach the sink !

          data = clean(data)
      except Exception:
          raise Exception()

data must be clean here

      sink(data) # no more FP (flow-78)

• The language server (and semgrep --experimental) should not report anymore errors from
  the metrics.semgrep.dev server such as "cannot read property 'map' of undefined". (metrics_error)
• Fixed a bug in the gemfile.lock parser which causes Semgrep to miss direct
  dependencies whose package name does not end in a version constraint. (sc-1568)

---

Configuration

📅 Schedule: Branch creation - "* 0-4 * * 3" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.